Filter for traffic separation

ABSTRACT

The invention relates to a filter for an open system interconnection layer2 traffic separation in at least one Access Switching Router ( 42 ) in a network ( 40 ), having ports in the routers ( 42, 44 ) configured to the same virtual local area network. The filter is filtering data packet traffic to the ports, simulating that if the source device and destination device is in the same layer2 domain, the router layer2 address is the actual destination address both for the source and destination device. It is also simulating that if the source device and destination device are not in the same layer2 domain but in the same layer3 subnet, the router layer2 address is the actual destination layer2 address for the source to the destination. By this filtering is providing the use of one IP subnet, spreading it over several premises and a multiple of Access Switching Router and the same subnet in multiple layer2 domains, thus covering more customers.

TECHNICAL FIELD

The present invention pertains to a filter for an open system interfacelayer2 traffic separation in at least one router in a network, and amethod therefore.

BACKGROUND ART

When deploying network devices such as routers and switches for anEthernet® based network or the like network, the current OSI layer2(Open Systems Interconnection), deploying MAC addressing (Media AccessControl adressing), technology enables VLANs (Virtual Local AreaNetworks) to be used for separating physical ports in a device, such asrouter and switch on layer2, and to bind ports belonging to the sameVLAN together over multiple devices, so called “trunking”.

On OSI layer3, deploying IP addressing through routers, each VLANrequire a different IP subnet for addressing. Over the past few yearsseveral attempts have been made in using this technology to deploy abroadband network.

Ethernet® is a shared media according to CSMA/CD (Carrier Sense MultipleAccess with Collision Detect), which means that all hosts that areconnected to one and the same Ethernet® get all traffic, but they selectit in dependence of their MAC address.

A typical broadband network consist of a number of switches or routersdeployed in a residential area to connect individual households to acommon infrastructure, the so called service provider infrastructure.

By using Ethernet technology to accomplish this, it immediatelyintroduces a security problem of connecting different premises such ashouseholds and the like to a single shared infrastructure as Ethernetprovides.

A service provider has to consider:

-   -   Connecting each customer to a separate VLAN—thereby requiring        numerous small IP subnets, one for each VLAN to preserve layer2        separation,    -   Connecting customers to a single VLAN—thereby requiring a        single, larger IP subnet, but introducing the risk of allowing        layer2 access between different customers, for example,        Microsoft X file-sharing.

To solve this filtering problem some implementations use port protectionfeatures where traffic between two ports in the same device arecomprised in the same VLAN is prevented. This means that the hostsconnected on those ports are unable to exchange any traffic. Furtherenhancements to this type of solution has included forwarding packetsbetween the protected ports to an upstream filtering device that makes adecision if data packet traffic should be permitted, and if so,forwarding the traffic back to its destination. This will of course putmore load on the backbone link used between the switch and the filteringdevice.

With a current increase in the number of connected computers toEthernet® networks, problem regarding data traffic collision growths. Inorder to solve this problem, bridges where invented, which divide anEthernet® in several segments and remembered/learned in which segmentsthe different MAC addresses resided. Thereafter forwarding of packets isonly accomplished of packets that where aimed to the broadcast addressor to a MAC address that resides in another segment than it wastransmitted from. But the different segments are still part of the samebroadcast domain.

Current switches are further developments of the bridge. They could besaid to have a bridge in every port. The switch remembers/learns whichMAC addresses that reside on every port, respectively, and achievesforwarding between ports only if the traffic is intended for a MACaddress on a different port. Every port thus becomes a segment, butevery port (a1 segments) are still a part of the same broadcast domain,as a broadcast is transmitted to every port. An advantage with a switchis that it communicates in high speeds which accomplishes that a numberof ports can communicate with each other at the same time with maximumspeed.

Switching technique has progressed, e.g. through the introduction ofVLAN, trunking and spanning-tree.

VLAN makes it possible to group ports in a switch to different broadcastdomains. It involves that the ports comprised in a specific VLAN areunable to communicate with ports in a different VLAN. At least notthrough layer2, which calls for a router to connect such ports.

In RFC 1027 (Request For Comment document under the control of IETF;Internet Engineering Task Force) a technique known as “Proxy-ARP” isdescribed, in which a routing device responds to ARP requests for anyaddress outside the local subnet requested by a locally connected host,thereby making the host send all traffic to the router without requiringthe understanding of an IP default-route. This was used in the earlydays of the Internet to guide hosts in lack of a complete understandingof IP to communicate using the IP protocol. It is rarely used today.

SUMMARY OF THE DESCRIBED INVENTION

The present invention aims to solve problems related to OSI layer2broadcasting and the limited possibility to divide IP addresses intosubsets for a plurality of VLANs.

In order to achieve its goals and aims, the present invention sets fortha filter for an open system interconnection layer2 traffic separation inat least one Access Switching Router in a network. The ports in therouters are configured to the same virtual local area network. Thefilter is filtering data packet traffic to the ports. It furthercomprises:

-   -   means for intercepting layer2 traffic from a network connected        source device for a MAC-address belonging to the virtual local        area network, determining if traffic is permitted to be        forwarded to other ports;    -   means for intercepting Address Resolution Protocol broadcasts in        such traffic, responding to the broadcast to the source device        regardless of if a destination device layer2 domain is the same        as source device layer2 domain, the source device thus        determining that the broadcast has acknowledged the layer2        address of a sought destination device, whereby the source        device transmits data packets to the destination device, the        router receiving the transmitted data packets;    -   means for determining the egress port to the destination device;    -   means for determining the layer2 address of the destination        device;    -   means for adjusting the layer2 header from the received data        packet, the means for setting the source layer2 address, setting        the a router source address for the data packets, the means for        determining the layer2 address of the destination device,        setting the destination layer2 address to that of the        destination device, transmitting the data packet to the        destination device; and    -   thus simulating that if the source device and destination device        is in the same layer2 domain, the router layer2 address is the        actual destination address both for the source and destination        device, or simulating that if the source device and destination        device are not in the same layer2 domain but in the same layer3        subnet, the router layer2 address is the actual destination        layer2 address for the source to the destination.

In one embodiment of the present invention it is provided that a portthat resides in a sub router is provided with said routers layer2address when addressing the destination device.

Another embodiment provides that a router is investigating the sourceand/or destination address to determine the best exit port for thepacket, to determine if the packet is in profile for rate-limiting, orto do other filtering based on information in the open systeminterconnection layer3 and higher protocol layers.

A further embodiment provides that the Access Switching Router is acombination of a layer2 switch and a layer3 router, combining thecapabilities of layer2 switching with advanced packet control andforwarding decisions in a layer3 router.

A still further embodiment is providing the use of IP subnet, spreadingit over several premises and a multiple of Access Switching Router andthe same subnet in multiple layer2 domains, thus covering morecustomers. Yet another embodiment is providing a customer havingmultiple computers to receive more addresses.

The present invention also sets forth a method for a filter in an opensystem interconnection layer2 traffic separation in at least one AccessSwitching Router in a network. A router having ports in the routersconfigured to the same virtual local area network. The filter isfiltering data packet traffic to the ports. It further comprises thesteps of:

-   -   intercepting layer2 traffic from a network connected source        device (HostA, HostB) for a Media Access Control address        belonging to the virtual local area network, determining if        traffic is permitted to be forwarded to other ports;    -   intercepting Address Resolution Protocol broadcasts in such        traffic, responding to the broadcast to the source device        regardless of if a destination device layer2 domain is the same        as source device layer2 domain, the source device thus        determining that the broadcast has acknowledged the layer2        address of a sought destination device, whereby the source        device transmits data packets to the destination device, a        router receiving the transmitted data packets;    -   determining the egress port to the destination device;    -   determining the layer2 address of the destination device;    -   adjusting the layer2 header from the received data packet, the        means for setting the source layer2 address, setting the routers        source address for the data packets, the means for determining        the layer2 address of the destination device, setting the        destination layer2 address to that of the destination device,        transmitting the data packet to the destination device; and    -   thus simulating that if the source device and destination device        is in the same layer2 domain, the router layer2 address is the        actual destination address both for the source and destination        device, or simulating that if the source device and destination        device are not in the same layer2 domain but in the same layer3        subnet, the router layer2 address is the actual destination        layer2 address for the source to the destination.

It is appreciated that the method is able to perform the steps of theattached set of dependent method claims conforming to the abovedescribed embodiments.

BRIEF DESCRIPTION OF THE DRAWINGS

Henceforth reference is had to the accompanying drawings for a betterunderstanding of given examples and embodiments of the presentinvention, whereby:

FIG. 1 schematically illustrates a residential area connected to abroadband network in accordance with prior art;

FIG. 2 schematically illustrates a gateway connected between twobroadband networks in accordance with prior art; and

FIG. 3 schematically illustrates a broadband network in accordance withthe present invention.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

In order to be able to understand the solution, in accordance with thepresent invention, to problems related to layer2 data traffic, it isalso important to understand the fundamental features of IP addressing.A fundamental part of using Ethernet® for IP communication is the use ofthe ARP (Address Resolution Protocol) protocol. ARP is used to resolvebetween OSI layer2 and layer3 addresses. It enables hosts to determinethe layer2 address of another device when the layer3 address is alreadyknown. This is used when a host on an IP subnet intends to communicatewith another host on that same subnet. The ARP is thus used forinterpretation between layer2 addresses (Ethernet® MAC addresses) andlayer3 addresses (IP)

A fundamental part of IP is that not every device in a network needs toknow about a provided global routing table. If a device has a packet toforward to an unknown destination, the device may be configured with adefault-route a path to use for any traffic for which there is not anexplicit route. The default route is always an IP address on a subnetthat the host is directly attached to. The layer2 address of the defaultroute is remembered/learned by the ARP protocol unless it is notstatically configured in the host.

In accordance with the present invention, a router is defined as adevice that analyses OSI layer 3 or higher protocol information to makea traffic forwarding decision.

This includes but is not limited to investigating the source and/ordestination address to determine the best exit port for the packet, todetermine if the packet is in profile for rate-limiting, or to do otherfiltering based on information in the OSI layer3 and higher protocollayers.

The Access Switching Router (ASR) is a combination of a layer2 switchand a layer3 router. It combines the capabilities of layer2 switchingwith advanced packet control and forwarding decisions in a layer3router. This definition fits the definition of a router in accordancewith the present invention and also incorporates the unique filteringfeatures described herein.

The advantages of the present invention enables all Ethernet® ports onthe ASR to be configured to the same VLAN, which enables the ports toshare the same IP subnet. Hence, no dividing of the subnet, for example,a 32 bit IP address, has to take place. Every time a subnet is createdtwo addresses disappear. Those are the so called net address and theaddress being the subnets broadcasting address. When corporations,Internet service providers etc. connect to Internet they apply for IPaddresses. An assignment of addresses is dependent on how many computersthat are connected to the network, how the network is to be designed andits pace of growth in the following years.

Given an example, a company is assigned 192.168.1.0/24 as address, where/24 denotes the dimension of the subnet. As IP addresses have 32 binarybits, it is easier to provide an example in binary notation: 192.168.1.0= 11000000 10101000 00000001 00000000 /24 equals a one decimalsubnet-mask of 255.255.255.0 binary reassembling 11111111 1111111111111111 00000000

The part of a subnet where the subnet-mask is 0, below denoted the hostpart, is the part that is allowed to use for setting an IP address forthe single computers. The part where the subnet-mask is 1 must always bethe same. Two addresses in this part may never be used for computers andthese are the net-number itself when the host part only comprises binary0, and the broadcast address when the host part only comprises binary 1.Hence: 11000000 10101000 00000001 00000000 192.168.1.0 11000000 1010100000000001 11111111 192.168.1.255

It is not likely that 250 computers are connected to one and the samesegment. Probably it consists of several segments divided into severallayer2 broadcast domains, thus every layer2 domain needs one IP subnetof its own. Therefore it is necessary to divide the 256 addresses insmaller subnets. This is accomplished by further prolonging thesubnet-mask, i.e., the part comprising binary 1.

EXAMPEL

11000000 10101000 00000001 00000000 192.168.1.0 11111111 1111111111111111 11000000 255.255.255.192

The subnet-mask is now intruding on two bits in the last octet. Thismeans that there are 6 bits left for a host address which decimallyreassembles 64. Hence, the 256 addresses have turned into four subnetsof each 64 addresses. 11000000 10101000 00000001 00000000 192.168.1.011111111 11111111 11111111 11000000 255.255.255.192 11000000 1010100000000001 01000000 192.168.1.64 11111111 11111111 11111111 11000000255.255.255.192 11000000 10101000 00000001 10000000 192.168.1.12811111111 11111111 11111111 11000000 255.255.255.192 11000000 1010100000000001 11000000 192.168.1.192 11111111 11111111 11111111 11000000255.255.255.192

Each and every one of these four subnets are having two addresses thatare not allowed to use. Decimally, they are: Subnet 192.168.1.0forbidden 192.168.1.0 and 192.168.1.63 Subnet 192.168.1.64 forbidden192.168.1.64 and 192.168.1.127 Subnet 192.168.1.128 forbidden192.168.1.128 and 192.168.1.191 Subnet 192.168.1.192 forbidden192.168.1.192 and 192.168.1.255

Binary reassembling: 11000000 10101000 00000001 00000000 192.168.1.011111111 11111111 11111111 11000000 255.255.255.192 11000000 1010100000000001 00111111 192.168.1.63 11111111 11111111 11111111 11000000255.255.255.192 11000000 10101000 00000001 01000000 192.168.1.6411111111 11111111 11111111 11000000 255.255.255.192 11000000 1010100000000001 01111111 192.168.1.127 11111111 11111111 11111111 11000000255.255.255.192 11000000 10101000 00000001 10000000 192.168.1.12811111111 11111111 11111111 11000000 255.255.255.192 11000000 1010100000000001 10111111 192.168.1.191 11111111 11111111 11111111 11000000255.255.255.192 11000000 10101000 00000001 11000000 192.168.1.19211111111 11111111 11111111 11000000 255.255.255.192 11000000 1010100000000001 11111111 192.168.1.255 11111111 11111111 11111111 11000000255.255.255.192

It is now possible to divide one of these 64 address subnets in twoparts, receiving two subnets of 32 addresses, but which each comprisetwo forbidden addresses: 11000000 10101000 00000001 11000000192.168.1.192 11111111 11111111 11111111 11100000 255.255.255.22411000000 10101000 00000001 11011111 192.168.1.223 11111111 1111111111111111 11100000 255.255.255.224 11000000 10101000 00000001 11100000192.168.1.224 11111111 11111111 11111111 11100000 255.255.255.22411000000 10101000 00000001 11111111 192.168.1.255 11111111 1111111111111111 11100000 255.255.255.224

In a broadband network 32 addresses are in excess for a singlehousehold. Every computer connected to a subnet is deemed to have anaddress, which also includes the default-gateway router, there is ademand of at least two addresses for every household, one for thecomputer and one for the router. If the household is in control of morethan one computer, a bigger subnet is needed.

Therefore, two addresses per household requires that the smallest subnethas to have the dimension of four addresses. Binary: 11000000 1010100000000001 10000000 192.168.1.0 11111111 11111111 11111111 11111100255.255.255.252

Since two addresses are forbidden: 11000000 10101000 00000001 00000000192.168.1.0 11111111 11111111 11111111 11111100 255.255.255.252 1100000010101000 00000001 00000011 192.168.1.3 11111111 11111111 1111111111111100 255.255.255.252the addresses left to use are 192.168.1.1 and 192.168.1.2. In the nextsubnet, the addresses 192.168.1.4 and 192.168.1.7 are forbidden.Addresses that can be used are 192.168.1.5 and 192.168.1.6 and so forth.

Out of the 256 addresses from the start there are 256/4=64 subnets or 64customers. One half of the addresses in these kind of small subnets areretained as broadcast and net addresses, and the loss of address spaceis 50%.

If subnets are designed in bigger dimensions, the loss of address spacedecreases due to broadcast and net addresses (8 addresses per subnetprovides 256/8=32 subnets, a 25% loss of address space). But there are 6useful addresses per subnet, and if the router is provided one, thereare 5 addresses per household. If those 5 addresses are not fully used,because there are not more than two computers in every household, therestill is an address loss as 3 addresses are not used.

Through the solution in accordance with one embodiment of the presentinvention, it is enabled to use 254 addresses of the 256 provided in thesubnet and spread it over several premises and multiple ASRs thuscovering more customers. If one customer has more computers than anothercustomer, no extra loss of address space is introduced as the customerwith the greater number of computers receives more addresses. Therefore,the loss of address space with the present invention is held at a fewpercentages if the network is built to optimize the address space.

According to the present invention a filter is applied which hinders anylayer2 traffic between the ports belonging to the VLAN, except trafficwith protocol options indicating that the data carried in the layer2packet is IP, IPv6 or any other traffic acceptable for the purpose ofcommunication. This means that even though the ports belong to the samelayer2 broadcast domain, traffic between them is prevented from beingswitched based on their source and destination layer2 address.

When a client attached to a port starts to transmit, the first packetwill traverse the Ethernet® segment, including the ASR.

Whenever the client host seeks to communicate with another host it willissue an ARP request for either the default-route, if the destination isnot part of the client hosts IP subnet, or the destination itself, ifits destination address is on the client hosts same subnet. This ARPrequest is a layer2 broadcast, which typically traverses the entireVLAN. The ARP message is intercepted, in accordance with the presentinvention, by the ASR and prevented from being forwarded to any otherport belonging to that VLAN. If the ARP request is for a destinationthat is present on any other port on the ASR or if the destination isknown in the ASR layer3 routing table, the ASR is responding to the ARPrequest with its own MAC-address as next-hop. This procedure makes theclient host believe, simulates, that the ASR layer2 address is thedestination layer2 address to be used to reach the real layer3destination. Thus, the client host transmits the packet to the ASRlayer2 address.

If the packet is determined to be forwarded out on another of the ASRports, based on the destination layer3 address and the content of theASR routing table and/or address resolution table, the source-MACaddress of the packet is changed to the ASR layer2 address on the egressport. The source IP address will continue to be that of the originalclient host address. Thereby, the receiver in the ASR remembers/learnsthat the source client host address maps to the ASR layer2 address andany return traffic to the source client host is directed to the ASRrather than directly to the source client MAC address. In this mannerboth the source and the destination client hosts are simulated tobelieve that the ASR MAC-address is the address of the other host andcommunication flow is maintained.

To be able to communicate with TCP/IP a host has to be configured with:

-   -   an IP address    -   a subnet-mask    -   a default-gateway    -   a name server

A name server is used to connect between names and IP addresses on theInternet.

FIG. 1 schematically illustrates a residential area connected to abroadband network 10 in accordance with prior art. At switch 12 isdepicted a VLAN with all ports 14 connected to it, meaning thatneighbours have layer2 access between themselves. This enables oneneighbour to for example browse another neighbours hard-drive. Theswitch 16 comprises that every port 14 belongs to a different VLAN,which requires a small IP subnet per VLAN. This is a waste of addressspace because every subnet introduces unusable addresses for the networkand the broadcast feature. A subnet with two usable addresses alsorequires two unusable addresses, wasting 50% of the address space. Thedevices 18 in FIG. 1 are routers.

FIG. 2 schematically illustrates a gateway 30 connected between twobroadband networks 32, 34 in accordance with prior art, also depictingHostA, HostB and HostC.

The following sequence describes the conventional operation of the ARProuting protocol.

The first sequence of steps 1)-9) provides an example where HostAtransmits to HostB with reference to FIG. 2:

-   -   1) HostA has IP packet to send    -   2) HostA compares HostAs address+subnetmask with HostBs address    -   3) HostB is on same network as HostA    -   4) HostA sends ARP broadcast to Network1 requesting HostBs        layer2 address.    -   5) HostB recognize request for its layer2 address    -   6) HostB responds    -   7) HostA now has HostBs layer2 address    -   8) HostA transmit data    -   9) HostB receives data

The second sequence of steps 1)-17) provides an example where HostAtransmits to HostC with reference to FIG. 2:

-   -   1) HostA has IP packet to send    -   2) HostA compares HostAs address+subnetmask with HostCs address    -   3) HostC is not on same network as HostA    -   4) HostA sends ARP broadcast to Network1 requesting Gateways        layer2 address    -   5) Gateway recognize request for its layer2 address    -   6) Gateway responds    -   7) HostA now has Gateways layer2 address    -   8) HostA transmit data    -   9) Gateway receive data    -   10) Gateway strips away layer2 information from packet    -   11) Gateway looks up HostC address in routing table and        determines egress interface    -   12) Gateway send ARP broadcast to Network2 requesting HostCs        layer2 address    -   13) HostC recognize request for its layer2 address    -   14) HostC responds    -   15) Gateway now has HostCs layer2 address    -   16) Gateway builds new layer2 header for packet and transmit        data    -   17) HostC receives data.

If the gateway 30 had not been directly connected to Network2, step 12would instead have been “forwarding the packet towards Network2”,repeating steps 9, 10, 11 and the new step 12 in every gateway along thepath until the gateway that is connecting directly to Network2,receiving the packet where steps 12-17 according to the flow above wouldcommence.

FIG. 3 schematically illustrates a broadband network 40 in accordancewith the present invention, having two ASR routers 42, 44. HostA andHostB are connected to router 42 and HostC connected to router 44. Bothrouters 42 and 44 have a direct connection between each other, whererouter 42 comprises the filter of the present invention. FIG. 3 alsodepicts a HostD connected to the broadband network via Internet.

The filter of the present invention is provided for an open systeminterconnection layer2 traffic separation in at least one ASR router 42in a broadband network 40. Al ports (not shown) in the routers 42, 44are configured to the same VLAN. ASR 44 is a sub router to router 42 orjust connected and provides the same filtering advantages in accordancewith the present invention. Data packet traffic is intercepted by therouter 42 comprising the filter, which is filtering data packet trafficto the ports. The filter comprises:

-   -   means for intercepting layer2 traffic from a network connected        source device (HostA, HostB) for a MAC-address belonging to the        virtual local area network, determining if traffic is permitted        to be forwarded to other ports;    -   means for intercepting Address Resolution Protocol broadcasts in        such traffic, responding to the broadcast to the source device        regardless of if a destination device layer2 domain is the same        as source device layer2 domain, the source device thus        determining that the broadcast has acknowledged the layer2        address of a sought destination device, whereby the source        device transmits data packets to the destination device, the        router receiving the transmitted data packets;    -   means for determining the egress port to the destination device;    -   means for determining the layer2 address of the destination        device;    -   means for adjusting the layer2 header from the received data        packet, the means for setting the source layer2 address, setting        the routers source address for the data packets, the means for        determining the layer2 address of the destination device,        setting the destination layer2 address to that of the        destination device, transmitting the data packet to the        destination device.

The filter of the present invention is thus simulating that if thesource device and destination device is in the same layer2 domain, therouter layer2 address is the actual destination address both for thesource and destination device, or simulating that if the source deviceand destination device are not in the same layer2 domain but in the samelayer3 subnet, the router layer2 address is the actual destinationlayer2 address for the source to the destination.

It is appreciated that the means of the present invention preferably aresoftware building blocks in a router or a combination of hardware andsoftware.

In the following three scenarios for packet flow in accordance with thepresent invention and with reference to FIG. 3 are provided.

It is to be noted that in IP routing, the encapsulation anddecapsulation of layer2 headers on an IP packet is a conventionalprocedure. The IP header with the IP source and destination address isleft untouched while the layer2 headers for Ethernet, TokenRing,FrameRelay, ATM or other layer2 technology that is used changes. Becausethe layer2 protocol is not routable, the source address is always set tothat of the device transmitting the packet. This is conventional.

The first scenario with sequence steps 1) to 13) describes packettransmission from HostA to HostB. Both hosts are connected to ports inthe same ASR. The ports are configured to belong to the same broadcastdomain (VLAN) but port protection with additional features is enabled onthe ASR in accordance with the present invention.

First Scenario

-   -   1) HostA has IP packet to send    -   2) HostA compares its address+subnetmask with HostB and        determines they are on the same subnet.    -   3) HostA sends ARP broadcast for HostBs address    -   4) Because of filters between the ASR 42 ports, the broadcast        cannot reach HostB.    -   5) The ASR intercepts the ARP broadcast and determines it knows        where HostB is located.    -   6) The ASR responds to the ARP request for HostB, setting its        own layer2 address as the address for HostB    -   7) HostA receives the ARP response and think it now know the        layer2 address for HostB.    -   8) HostA transmit data    -   9) ASR 42 receive data.    -   10) ASR 42 removes layer2 information and determine the egress        port for HostB    -   11) ASR 42 sets its own layer2 address as source for the packet        and encapsulates the packet for HostB.    -   12) ASR 42 transmit data    -   13) HostB receives the data from HostA.

Because that the ASR 42 layer2 address is set as source, HostB believesthat the layer2 address of ASR 42 is that of HostA. Likewise, due to theARP response, HostA will believe that the layer2 address of ASR 42 isthat of HostB.

The second scenario with sequence steps 1) to 18) describes packettransmission from HostA to HostC. The hosts are connected to ports ondifferent ASRs. But the address sharing features of the ASR and centralmanagement system agreed the hosts to receive IP addresses by DHCP fromthe same IP subnet. The ASRs have exchanged routing informationinforming each other about connected hosts.

Second Scenario

-   -   1) HostA has IP packet to send    -   2) HostA compares its address+subnetmask with HostC and        determines they are on the same subnet.    -   3) HostA sends ARP broadcast for HostCs address    -   4) Because of filters between ASR 42 ports, the broadcast do not        reach any other port on the ASR.    -   5) ASR 42 intercepts the ARP broadcast and determines it knows        where HostC is located.    -   6) ASR 42 responds to the ARP request for HostC, setting its own        layer2 address as the address for HostC    -   7) HostA receives the ARP response and think it now know the        layer2 address for HostC.    -   8) HostA transmits the packet    -   9) ASR 42 receives the packet.    -   10) ASR 42 removes layer2 information and determine the egress        port for HostC.    -   11) ASR 42 encapsulates the packet with appropriate layer2        headers for the link to ASR 44.    -   12) ASR 42 forwards the packet towards ASR 44    -   13) ASR 44 receives the packet.    -   14) ASR 44 removes layer2 encapsulation used on the link from        ASR 42.    -   15) ASR 44 determines the egress port for the packet towards        HostC.    -   16) ASR 44 encapsulates the packet with layer2 headers, setting        its own layer2 address as source.    -   17) ASR 44 transmit data    -   18) HostC receives the data from HostA.

Because of that the ASR 42 is responding to the ARP request, HostA willbelieve that the layer2 address of ASR 42 is that of the HostC. Becauseof the ASR 44 setting its layer2 address as source for the packet toHostC in the final steps above. HostC thus believes that the layer2address of ASR 44 is that of the HostA.

The third scenario with sequence steps 1) to 15) describes packettransmission from HostA to HostD. HostA is connected to a port on ASR42. HostD is connected somewhere on the Internet.

Third Scenario

-   -   1) HostA has IP packet to send    -   2) HostA compares its address+subnetmask with HostD and        determines they are not on the same subnet.    -   3) HostA sends ARP broadcast for default-gateway address    -   4) Because of filters between the ASR 42 ports, the broadcast        cannot reach any other port on the ASR.    -   5) The ASR intercepts the ARP broadcast and determines it is the        default-gateway.    -   6) The ASR responds to the ARP request for default-gateway with        its own layer2 address.    -   7) HostA receives the ARP response and think it now know the        layer2 address for the defalt gateway    -   8) HostA transmit data    -   9) ASR 42 receive data.    -   10) ASR 42 removes layer2 information and determine the egress        port for HostD.    -   11) ASR 42 encapsulates the packet with appropriate layer2        headers for the link towards HostD    -   12) Gateways along the path between ASR 42 and HostD repeat        steps 9-11.    -   13) The gateway connecting HostD receives the packet    -   14) The gateway performs ARP lookup and forwards the packet        towards HostD according to Internet standards.    -   15) HostD receives the data.

The present invention has been described through examples andembodiments not intended to limit the scope of protection, whereby aperson skilled in the art is able to derive further embodiments by theattached set of claims.

1. A filter for an open system interconnection layer2 traffic separation in at least one Access Switching Router (42, 44) in a network (40), having ports in the routers (42, 44) configured to the same virtual local area network, said filter filtering data packet traffic to said ports, characterized in that it comprises: means for intercepting layer2 traffic from a network connected source device (HostA, HostB) for a Media Access Control address belonging to said virtual local area network, determining if traffic is permitted to be forwarded to other ports; means for intercepting Address Resolution Protocol broadcasts in such traffic, responding to said broadcast to said source device (HostA, HostB) regardless of if a destination device layer2 domain is the same as source device layer2 domain, said source device (HostA, HostB) thus determining that the broadcast has acknowledged the layer2 address of a sought destination device (HostC, HostD), whereby the source device (HostA, HostB) transmits data packets to the destination device (HostC, HostD), said routers receiving said transmitted data packets; means for determining the egress port to said destination device; means for determining the layer2 address of said destination device (HostC, HostD); means for adjusting the layer2 header from said received data packet, said means for setting the source layer2 address, setting said routers source address for the data packets, said means for determining the layer2 address of the destination device (HostC, HostD), setting the destination layer2 address to that of the destination device (HostC, HostD), transmitting the data packet to the destination device (HostC, HostD); and thus simulating that if the source device (HostA, HostB) and destination device (HostC, HostD) is in the same layer2 domain, the router layer2 address is the actual destination address both for the source and destination device, or simulating that if the source device and destination device are not in the same layer2 domain but in the same layer3 subnet, the router layer2 address is the actual destination layer2 address for the source to the destination.
 2. A filter according to claim 1, characterized in that a port that resides in a sub router (42, 44) is provided with said routers (42, 44) layer2 address when addressing the destination device (HostC).
 3. A filter according to claim 1, characterized in a the router (42, 44) is investigating the source and/or destination address to determine the best exit port for the packet, to determine if the packet is in profile for rate-limiting, or to do other filtering based on information in the open system interconnection layer3 and higher protocol layers.
 4. A filter according to claim 1, characterized in that a router (42, 44) is a combination of a layer2 switch and a layer3 router, combining the capabilities of layer2 switching with advanced packet control and forwarding decisions in a layer3 router.
 5. A filter according to claim 1, characterized in that it is providing the use of one IP subnet, spreading it over several premises and a multiple of Access Switching Router and the same subnet in multiple layer2 domains, whereby it is covering more customers.
 6. A filter according to claim 5, characterized in that it is providing a customer having multiple computers to receive more addresses.
 7. A method for a filter for an open system interconnection layer2 traffic separation in at least one Access Switching Router (42, 44) in a network (40), having ports in the routers (42, 44) configured to the same virtual local area network, said filter filtering data packet traffic to said ports, characterized in that it comprises: intercepting layer2 traffic from a network connected source device (HostA, HostB) for a Media Access Control address belonging to said virtual local area network, determining if traffic is permitted to be forwarded to other ports; intercepting Address Resolution Protocol broadcasts in such traffic, responding to said broadcast to said source device (HostA, HostB) regardless of if a destination device layer2 domain is the same as source device layer2 domain, said source device (HostA, HostB) thus determining that the broadcast has acknowledged the layer2 address of a sought destination device (HostC, HostD), whereby the source device (HostA, HostB) transmits data packets to the destination device (HostC, HostD), said routers receiving said transmitted data packets; determining the egress port to said destination device; determining the layer2 address of said destination device (HostC, HostD); adjusting the layer2 header from said received data packet, said means for setting the source layer2 address, setting said routers source address for the data packets, said means for determining the layer2 address of the destination device (HostC, HostD), setting the destination layer2 address to that of the destination device (HostC, HostD), transmitting the data packet to the destination device (HostC, HostD); and thus simulating that if the source device (HostA, HostB) and destination device (HostC, HostD) is in the same layer2 domain, the router layer2 address is the actual destination address both for the source and destination device, or simulating that if the source device and destination device are not in the same layer2 domain but in the same layer3 subnet, the router layer2 address is the actual destination layer2 address for the source to the destination.
 8. A method for a filter according to claim 7, characterized in that a port that resides in a sub router (42, 44) is provided with said routers (42, 44) layer2 address when addressing the destination device (HostC).
 9. A method for a filter according to claim 7, characterized in that a router (42, 44) is investigating the source and/or destination address to determine the best exit port for the packet, to determine if the packet is in profile for rate-limiting, or to do other filtering based on information in the open system interconnection layer3 and higher protocol layers.
 10. A method for a filter according to claim 7, characterized in that a router (42, 44) is a combination of a layer2 switch and a layer3 router, combining the capabilities of layer2 switching with advanced packet control and forwarding decisions in a layer3 router.
 11. A method for a filter according to claim 7, characterized in that it is providing the use of one IP subnet, spreading it over several premises and a multiple of Access Switching Router and the same subnet in multiple layer2 domains, whereby it is covering more customers.
 12. A method for a filter according to claim 11, characterized in that it is providing a customer having multiple computers to receive more addresses. 